WP-Safety

BuddyPress Photos+tags Security & Risk Analysis

wordpress.org/plugins/bp-phototag

Photo Albums for BuddyPress with friend tagging (like facebook). Includes Posts to Wire, Member Comments, and Gallery Privacy Controls.

10 active installs v1.1 PHP + WP 3.1.0+ Updated Unknown
albumalbumsbpbuddypresspicture
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is BuddyPress Photos+tags Safe to Use in 2026?

Generally Safe

Score 100/100

BuddyPress Photos+tags has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs
Risk Assessment

The bp-phototag plugin v1.1 exhibits a generally good security posture with no known CVEs and a significant portion of its SQL queries utilizing prepared statements. However, concerns arise from the taint analysis, which identified one flow with an unsanitized path and a high severity taint, indicating a potential vulnerability that could be exploited. Additionally, the output escaping is only 43% properly done, leaving a substantial risk of cross-site scripting (XSS) vulnerabilities, especially since there are no identified external entry points like AJAX or REST APIs for direct exploitation of these issues. The lack of known vulnerabilities in its history is positive, but this should not overshadow the red flags raised by the static analysis.

Key Concerns

  • High severity taint flow with unsanitized path
  • Low percentage of properly escaped output
Vulnerabilities
None known

BuddyPress Photos+tags Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

BuddyPress Photos+tags Release Timeline

No version history available.
Code Analysis
Analyzed Mar 16, 2026

BuddyPress Photos+tags Code Analysis

Dangerous Functions
0
Raw SQL Queries
8
30 prepared
Unescaped Output
72
55 escaped
Nonce Checks
5
Capability Checks
4
File Operations
7
External Requests
0
Bundled Libraries
0

SQL Query Safety

79% prepared38 total queries

Output Escaping

43% escaped127 total outputs
Data Flows · Security
1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths
<phototag-gethint> (photo-tagging\phototag-gethint.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

BuddyPress Photos+tags Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 52
actionwpincludes\bpa.core.php:84
actionbp_setup_globalsincludes\bpa.core.php:86
actionadmin_menuincludes\bpa.core.php:87
actionadmin_menuincludes\bpa.core.php:113
actionnetwork_admin_menuincludes\bpa.core.php:132
actionbp_setup_navincludes\bpa.core.php:194
filterbp_located_templateincludes\bpa.core.php:248
actionwpmu_delete_userincludes\bpa.core.php:680
actiondelete_userincludes\bpa.core.php:681
actioninitincludes\bpa.core.php:954
actionwp_headincludes\bpa.cssjs.php:40
filterbp_album_title_before_saveincludes\bpa.filters.php:23
filterbp_album_title_before_saveincludes\bpa.filters.php:24
filterbp_album_description_before_saveincludes\bpa.filters.php:26
filterbp_album_description_before_saveincludes\bpa.filters.php:27
filterbp_album_get_picture_titleincludes\bpa.filters.php:29
filterbp_album_get_picture_titleincludes\bpa.filters.php:30
filterbp_album_get_picture_titleincludes\bpa.filters.php:31
filterbp_album_get_picture_titleincludes\bpa.filters.php:32
filterbp_album_get_picture_title_truncateincludes\bpa.filters.php:34
filterbp_album_get_picture_title_truncateincludes\bpa.filters.php:35
filterbp_album_get_picture_title_truncateincludes\bpa.filters.php:36
filterbp_album_get_picture_title_truncateincludes\bpa.filters.php:37
filterbp_album_get_picture_descincludes\bpa.filters.php:39
filterbp_album_get_picture_descincludes\bpa.filters.php:40
filterbp_album_get_picture_descincludes\bpa.filters.php:41
filterbp_album_get_picture_descincludes\bpa.filters.php:42
filterbp_album_get_picture_descincludes\bpa.filters.php:43
filterbp_album_get_picture_descincludes\bpa.filters.php:44
filterbp_album_get_picture_descincludes\bpa.filters.php:45
filterbp_album_get_picture_descincludes\bpa.filters.php:46
filterbp_album_get_picture_desc_truncateincludes\bpa.filters.php:48
filterbp_album_get_picture_desc_truncateincludes\bpa.filters.php:49
filterbp_album_get_picture_desc_truncateincludes\bpa.filters.php:50
filterbp_album_get_picture_desc_truncateincludes\bpa.filters.php:51
filterbp_album_get_picture_desc_truncateincludes\bpa.filters.php:52
filterbp_album_get_picture_desc_truncateincludes\bpa.filters.php:53
filterbp_album_get_picture_desc_truncateincludes\bpa.filters.php:54
actionbp_template_titleincludes\bpa.screens.php:27
actionbp_template_contentincludes\bpa.screens.php:28
actionbp_template_contentincludes\bpa.screens.php:264
filterupload_dirincludes\bpa.screens.php:459
actionbp_actionsincludes\bpa.screens.php:561
actionwpincludes\bpa.screens.php:562
actionbp_actionsincludes\bpa.screens.php:704
actionwpincludes\bpa.screens.php:705
actionbp_actionsincludes\bpa.screens.php:743
actionwpincludes\bpa.screens.php:744
actionbp_album_all_imagesincludes\bpa.screens.php:761
actionbp_includeloader.php:32
actionadmin_noticesloader.php:153
actionadmin_menuloader.php:160
Maintenance & Trust

BuddyPress Photos+tags Maintenance & Trust

Maintenance Signals

WordPress version tested3.2.1
Last updatedUnknown
PHP min version
Downloads17K

Community Trust

Rating20/100
Number of ratings1
Active installs10
Alternatives

BuddyPress Photos+tags Alternatives

BuddyPress Album

BuddyPress Album

bp-album

A
85

Photo Albums for BuddyPress. Includes Posts to Activity Stream, Member Comments, and Gallery Privacy Controls.

70 No CVEs
BuddyPics

BuddyPics

buddypics

A
85

Photo Albums for BuddyPress. Includes Posts to Activity Stream, Member Comments, and Gallery Privacy Controls.

20 No CVEs
Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress

Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress

gallery-plugin

A
95

Add beautiful, fully responsive galleries, albums, images, and categories to your WordPress website quickly and easily. Showcase your portfolio, photo &hellip;

10K 5 CVEs
Imagine

Imagine

imagine

A
85

A new cool kid on the block gallery plugin completely written with $.AJAX.get() for extremely versatile pages.

10 No CVEs
rtMedia for WordPress, BuddyPress and bbPress

rtMedia for WordPress, BuddyPress and bbPress

buddypress-media

B
75

Add albums, photo, audio/video upload, privacy, sharing, front-end uploads & more. All this works on mobile/tablets devices.

8K 14 CVEs
Developer Profile

BuddyPress Photos+tags Developer Profile

Jesse LaReaux

1 plugin · 10 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect BuddyPress Photos+tags

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/bp-phototag/css/bp-album-style.css/wp-content/plugins/bp-phototag/css/jquery.Jcrop.css/wp-content/plugins/bp-phototag/js/bp-album.js/wp-content/plugins/bp-phototag/js/bp-album-backend.js/wp-content/plugins/bp-phototag/js/jquery.Jcrop.js/wp-content/plugins/bp-phototag/js/jquery.form.js/wp-content/plugins/bp-phototag/js/jquery.jeditable.min.js
Script Paths
/wp-content/plugins/bp-phototag/js/bp-album.js/wp-content/plugins/bp-phototag/js/bp-album-backend.js/wp-content/plugins/bp-phototag/js/jquery.Jcrop.js/wp-content/plugins/bp-phototag/js/jquery.form.js/wp-content/plugins/bp-phototag/js/jquery.jeditable.min.js
Version Parameters
bp-phototag/css/bp-album-style.css?ver=bp-phototag/js/bp-album.js?ver=

HTML / DOM Fingerprints

CSS Classes
bp-album-gallerybp-album-photobp-album-photo-metabp-album-edit-photobp-album-tag-photobp-album-comments-section
HTML Comments
<!-- JLL_MOD - changed plugin header --><!-- JLL_MOD - add a table for face-tagging --><!-- JLL_MOD - add a table for face-tagging --><!-- JLL_MOD - consider adding a field to indicate which version of WP/BP this plugin has been tested with -->+2 more
Data Attributes
data-photo-iddata-tag-iddata-user-id
JS Globals
bp_album_ajaxurlbp_album_post_noncebp_album_tag_noncebp_album_tag_edit_nonce
FAQ

Frequently Asked Questions about BuddyPress Photos+tags